Human Risk Management (HRM) platform, CultureAI, has unveiled new research which shows that despite companies pouring increasing resources into their security awareness and training (SA&T) programmes, human-related breaches are still happening at an alarming rate.

According to the survey, 96% of respondents allocate between 5% to 20% of their security budgets to awareness training while 78% train employees at least monthly.

Surveyed organisations said the leading motivation for delivering training is to change behaviours and equip employees to handle risks (51%), followed by compliance (25%) and breach prevention (24%). But regardless of the objective behind the training, 79% of surveyed organisations suffered a cyber breach due to human error in the last 12 months, with 34% experiencing multiple breaches.

Employees face an increasing range and volume of risks as they go about their daily tasks; with the widespread and increasing adoption of SaaS, GenAI, and collaboration tools creating more vulnerabilities for cyber criminals to exploit

There is a notable correlation between the number of HRM capabilities utilised and the incidence of human factor-related breaches over the past year. Specifically, 91% of organisations with only one capability experienced a breach, compared to 70% of those employing four.

When examining the respondents who reported no data breaches, the research found a preference for more technical HRM capabilities. The most popular choices were human risk triage (45%), coaching based on risk levels (37%), nudges triggered by risks (37%), and automated interventions (32%).

63% of respondents currently spend 5% to 10% of their security budget on training with another 33% reporting that they spend 11% to 20%. This is more than anticipated, as in 2023 Gartner reported 60% of teams spend 5% or less on awareness activities, including people, processes and technology.

Says John Scott, Lead Security Researcher at CultureAI:

“Human error is inevitable, but it’s not a moral failing. We all make mistakes. Unfortunately, these mistakes can be catastrophic for organisations. It’s a challenge that every business must grapple with, and the research serves to demonstrate the prevalence of human-related breaches, even as companies invest more time and resources into security awareness and training programmes.”

